I am trying to match a timestamp field depending on how many minutes ago (0-9, or 10+). I'm using a colorPalette of type="expression" to color a table column based on the age of the data. The field is concatenated from _time and a field that is evaluated from now()-_time. Here's an example of my field:
05/07/18 - 12:44:32 (1 minutes ago)
<format type="color" field="Updated">
<colorPalette type="expression">if (match (value, ".*\(\d\s.*"), "0x65A637", "0xD93F3C")</colorPalette>
</format>
The same statement, as an eval to add a table column, works fine, so I don't think the problem is with the regex match.
@camillak, somehow complex regular expression for colorPalette i.e. \d{1}
does not seem to work. Can you please try the following instead?
<format type="color" field="Updated">
<colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
</format>
Following is a run anywhere dashboard based on Splunk's internal indexes.
Following is the dashboard Simple XML code:
<dashboard>
<label>Color based on Regular Expression Match</label>
<row>
<panel>
<table>
<search>
<query>| metadata type=sourcetypes index=_*
| table sourcetype totalCount lastTime
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| eval Updated=round((now()-lastTime)/60,0)
| eval Updated=if(Updated<10,Updated." Minutes Ago","10+ Minutes Ago")</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="Updated">
<colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
</format>
</table>
</panel>
</row>
</dashboard>
@camillak, somehow complex regular expression for colorPalette i.e. \d{1}
does not seem to work. Can you please try the following instead?
<format type="color" field="Updated">
<colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
</format>
Following is a run anywhere dashboard based on Splunk's internal indexes.
Following is the dashboard Simple XML code:
<dashboard>
<label>Color based on Regular Expression Match</label>
<row>
<panel>
<table>
<search>
<query>| metadata type=sourcetypes index=_*
| table sourcetype totalCount lastTime
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| eval Updated=round((now()-lastTime)/60,0)
| eval Updated=if(Updated<10,Updated." Minutes Ago","10+ Minutes Ago")</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="Updated">
<colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
</format>
</table>
</panel>
</row>
</dashboard>
I had actually just figured this out. The \d
and \(
were both not working. The example that you posted is almost exactly what I needed. Because the number of minutes is not the beginning of my field, I still had to account for the open parenthesis. This worked for me:
<colorPalette type="expression">if (match (value, " .[0-9] minutes ago"), "0x65A637", "0xD93F3C")</colorPalette>
As pointed out by @jeffland seems like 8.x version supports case statement. Not sure which version onward this started working.
Following answer used case
with match
for applying colorPalette
based on expression
:
https://answers.splunk.com/answers/820403/how-to-change-font-color-based-on-a-condition-for.html
Are you using the actual text "color1" and "color2"? Those should be RGB hex values like #FF0000 (for red), or #00FF00 (for blue).
I believe you need to specify the field in your <format>
tag too. Something like:
<format type="color" field="count">
Thanks for the suggestion, I am specifying the actual hex values, and have the field name in my format tag
I noticed your regex is invalid in your match.
.{0,}(\d{1}\s.{0,}
There is an incomplete grouping by having an open "(" without a closing ")".
I escaped it in the original, the code sample tool is not behaving as I would like.
I think that this is not possible, by the way - I tried a much simpler regex and it did not work.
if (match (value, "Online"), "0x65A637", "0xD93F3C")
This has no effect on the column color although Online is the value. Simple if
if ( value == "Online", "0x65A637", "0xD93F3C")
works fine.